U.S. Serial No. 10/685,882 

Response to the Office action of June 20, 2007 

REMARKS 

Claims 1-32 are pending and at issue in the above identified patent application. Claims 
30-32 are newly presented. Of the claims at issue, claims 1,8, 15, and 23 are independent. In 
view of the following remarks, reconsideration and allowance of the application are respectfully 
requested. 

The Rejections under 35 U.S.C. § 103 

Claims 1, 3, 5, 6, 8, 10-12, 15, 17-21, and 25-28 were rejected as being unpatentable over 
Rawson (US 6,128,223) in view Lettvin (US 5,559,960). As explained below, the rejections are 
traversed. Reconsideration and withdrawal of the rejections are respectfully requested. 

Claims 1, 8, 15, and 23 arc generally directed to the initialization of a Virtual Machine 
Monitor (VMM), and the detection of an intrusion event. In particular, claims 1, 8, 15, and 23 
respectively recite, inter alia, "initializing a virtual machine monitor (VMM) in a processor 
system during a pre-boot phase," "instructions, which when executed, cause a machine to 
initialize a virtual machine monitor (VMM) in a processor system during a pre-boot phase," "a 
virtual machine monitor initialized from the firmware during a pre-boot phase," and "a processor 
being programmed to initialize the VMM during a pre-boot phase." As such, all of these 
recitations indicate that either a VMM is initialized during a pre-boot phase, or that a machine or 
instructions are programmed to do the initialization of the VMM during a pre-boot phase. 

Claims 1, 8, 15, and 23 were rejected as obvious over Rawson in view of Lettvin. 
However, neither Rawson nor Lettvin, either alone or in combination, teaches or suggests the 
initialization of a VMM to identify at least one of a network intrusion event and a physical 
intrusion event. 
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In contrast, Rawson is directed to the one time detection of a physical intrusion and fails 
to teach or suggest the initialization of a VMM. The failure of Rawson to describe a VMM is 
admitted in the Office action. In particular, the examiner admits that "Rawson does not 
explicitly disclose initializing a virtual machine monitor (VMM) in a processor system during a 
pre -boot phase" (Office action, Page 3). 

To overcome the deficiencies of Rawson, the examiner attempts to utilize the description 
of Lettvin. In particular, the examiner suggests that "Lettvin discloses initializing a virtual 
machine monitor (VMM)", and moreover, it would have been obvious to modify Rawson "by 
initializing the VMM during a pre -boot phase as taught by Lettvin to provide a startup disk that 
causes the computer to automatically execute anti-virus software each time the computer starts 
from the disk, i.e., during bootstrap, so as to detect bootstrap time virus before or after they have 
executed and implanted themselves in the system." (Office action, Page 3). While Lettvin 
certainly does provide a startup disk that causes the computer to automatically execute anti-virus 
software each time the computer starts from the disk, Lettvin fails to describe the initialization of 
a VMM. 

In particular, Lettvin is directed to a one time anti-virus process initiated during pre-boot, 
and does not teach or suggest the initialization of a VMM, despite the allegations in the Office 
action. Specifically, the examiner relies on Lettvin 7:23-67, 8:1-17, and FIG. 3, for a description 
of VMM initialization in a pre-boot phase. It is respectfully submitted, however, that this 
reliance is misplaced. The passages relied upon by the examiner describes a one-time virus 
removal and integrity check software function initiated and terminated in the bootstrap 
environment. Nowhere does the bootstrap sequence of Lettvin teach the initiation of a VMM, 
and more particularly, Lettvin fails to describe or suggest that a startup disk automatically 
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executing anti-virus software may be properly considered a VMM. Additionally, once the anti- 
virus bootstrap sequence is completed, the process is terminated (Lettvin 8:40-43; "[at] step 322 
the BTOS causes the computer to execute the normal bootstrap program and then finishes at step 
324") and thus cannot be fairly considered a VMM. Accordingly, Lettvin similarly fails to teach 
or suggest the initialization of a VMM. 

Therefore, due to the deficiencies in both Rawson and Lettvin, it follows that no 
combination of Rawson and Lettvin can render obvious claims 1,8, 15, and 23 or any claims 
dependent thereon. Withdrawal of the rejections based on Rawson and Lettvin and allowance of 
the pending claims are respectfully requested. 
Claim 30 

New claim 30 is generally directed toward the continuous identification of the at least one 
network traffic intrusion and physical security intrusion event by the VMM. Support for this 
amendment may be found throughout the Detailed Description as originally filed including, for 
example, FIG. 4 and accompanying text. As noted above, both Rawson and Lettvin are directed 
toward the one time detection of a physical intrusion and/or network intrusion, and fail to teach 
or suggest the continuous identification (i.e., monitoring) of the system as recited in the claim. 

Accordingly, due to the deficiencies in both Rawson and Lettvin, it follows that no 
combination of Rawson and Lettvin can render obvious claim 30. 
Claim 31 

New claim 31 is generally directed toward the identification of both at least one of a 
network traffic intrusion event and at least one physical security intrusion event by the VMM. 
Support for this amendment may also be found throughout the Detailed Description as originally 
filed including, for example, FIG. 4 and accompanying text. While Rawson describes the 

Page 11 of 13 



U.S. Serial No. 10/685,882 

Response to the Office action of June 20, 2007 

detection of a physical intrusion and Lettvin describes the detection of a network intrusion, 
neither Rawson nor Lettvin teach or suggest both the detection of a physical intrusion and the 
detection of a network intrusion. 

Accordingly, due to the deficiencies in both Rawson and Lettvin, it follows that no 
combination of Rawson and Lettvin can render obvious claim 3 1 . 
Claim 32 

New claim 32 is generally directed toward the initializing of a plurality of virtual 
machines, wherein each of the plurality of virtual machines operates like a complete physical 
machine that can run its own operating system. Support for this amendment may also be found 
throughout the Detailed Description as originally filed including, for example, paragraph [0014]. 
Neither Rawson nor Lettvin teach or suggest the initialization of a plurality of virtual machines 
as recited in the present claim. 

Accordingly, due to the deficiencies in both Rawson and Lettvin, it follows that no 
combination of Rawson and Lettvin can render obvious claim 32. 
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Conclusion 

If there is any matter that the examiner would like to discuss, the examiner is invited to 
contact the undersigned representative at the telephone number set forth below. 

The Commissioner is hereby authorized to charge any deficiency in the amount enclosed 
or any additional fees which may be required during the pendency of this application under 
37 CFR 1.16 or 37 CFR 1.17 or under other applicable rules (except payment of issue fees), to 
Deposit Account No. 50-2455. Please refund any overpayment to Hanley, Flight, and 
Zimmerman at the address below. 



Respectfully submitted, 

Hanley, Flight & Zimmerman, LLC 
150 South Wacker Drive 
Suite 2 100 

Chicago, Illinois 60606 



Dated: October 22, 2007 /Keith R. Jarosik/ 

Keith R. Jarosik 
Reg. No. 47,683 
Attorney for Applicants 
(312)580-1133 
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